Persistent Asymmetric Password-Based Key Exchange

Persistent Asymmetric Password-Based Key Exchange Shaoquan Jiang

arXiv:1004.3037v1 [cs.CR] 18 Apr 2010

School of Computer Science and Engineering, University of Electronic Science and Technology of China Email: [email protected] URL: http://sites.google.com/site/shaoquan0825

Abstract. Asymmetric password based key exchange is a key exchange protocol where a client and a server share a low entropic password and the server additionally owns a high entropic private key of a public key. This problem has not been well studied in the literature although its harder variant (i.e., password-only key exchange), in which the only secret for both a server and a client is a shared password, has been extensively studied. This situation perhaps is due to the fact that the existing solutions (e.g, by Halevi and Krawczyk (ACM TISSEC 1999) and by Boyarsky (CCS 1999)), are already very simple and proven secure. In this paper, we will see that this understanding is not true by studying a new threat. That is, once the server’s high entropic private key gets compromised (e.g., due to cryptanalysis, virus stealth and faulty implementation), the adversary might be able to break in a larger number of accounts in a short time and cause uncountable damage. In this setting, we do not expect the protocol to remain secure against a off-line dictionary attack since, otherwise, the protocol is a secure passwordonly protocol (with server long key as part of common reference string) and is usually very inefficient. However, if the attacker only has the computing source (e.g., time) to enumerate one dictionary, she should not be able to break a lot of accounts. Achieving this is important as it saves time for server to realize the attack and respond properly. We formalize this problem and propose a simple and natural framework for it. Our framework is as efficient as the protocol by Halevi and Krawczyk (1999) and Boyarsky (1999) while neither of the latter can survive against the new threat. Our framework is proven secure in a normal model (i.e., server long key is uncorrupted). It is also proven secure against the new threat. For the latter, we show that if the adversary has the running time T , then it can break ℓ account with probability negligibly bounded by exp(−2ℓ(0.5 − α)2 ) for T < ℓαD, where α < 1/2 is a constant and D is the dictionary size. The proof mainly relies on our analysis of a novel probability experiment, which is of independent interest.

Keywords. Authentication, Password Key Exchange, Projective Hash Function.

1

Introduction

Key exchange (KE) is one of the most important issues in secure communication. It helps two communicating parties to securely establish a common session key, with which the subsequent communication can be protected. In the literature, there are two types of key exchange. In the first type, two interactive parties own high entropic secrets(e.g., a signing key of a digital signature). This type has been extensively studied in the literature; see a very partial list [1,24,25,8,11]. The second type is password authenticated key exchange, in which it is assumed that the two parties share a human-memorable (low entropy) password. The major threat for this type of key exchange is an off-line dictionary attack. Specifically, if one can catch a function value of the password (say, F (pw)), then he can search through all the possible passwords to find the correct one consistent with F (pw). Since the password space is small, this attack is feasible. In the literature, two types of password key exchange protocols are studied. In the first type, two parties only own a common password. This setting has been extensively studied. In the second type, the client and server share

a password while the server additionally owns a high entropic private key of a public key. This setting, although initiated in early 1990s, is not well studied. This is probably due to two facts: (1) it is not as challenging as the first setting; (2) existing constructions (e.g., [16,6]) are already simple and proven secure. However, these reasons may not be convincing since (1) password-only based constructions are much less efficient; (2) [16,6] do not survive to the following threat: when the server long key is compromised, the attacker might quickly break into a large number of accounts and cause uncountable damage. In this case, it is desired that he can only break a few accounts in a limited time. If this is the case, the server will have time to realize the attack before a severe damage occurs. 1.1

Related Work

Password authenticated key exchange was first studied by Bellovin and Merritt [4]. Password-only key exchange has been extensively studied in the literature; e.g. [5,18,27]. The first provably secure solution is due to Bellare et al. [2] and more works [21,13,19,7,9,12,22] follow. In this paper, we consider the asymmetric password key exchange. The dictionary attack for it was first addressed by Gong [14]. Halevi and Krawczyk [15] proposed a very efficient solution, which essentially let the client to encrypt the password and key exchange information using the server’s public key. Boyarsky [6] pointed a flaw in [15] (but not in the revised version [16]) and showed several ways to fix it. Recently, Kolesnikov and Rackoff [23] pointed a flaw of [16] which can be regarded as an extended attack of [6]. This attack essentially means when an adversary corrupts one party A and executes many times in the name of A with the server (using one eavesdropped transcript between another client B and the server), then the adversary can eventually recover B’s password. This attack was considered in the model [6] and is provably prevented in the protocol [6]. However, we find that all of these works suffer from a new threat. That is, when the server long private key is compromised (e.g., due to cryptanalysis, virus stealth and faulty implementation), the attacker might quickly break into a lot of user accounts. In deed, in [6,15,16], the password is encrypted using the server public key, an attacker can decrypt it using a server private key. By this, the adversary even does not need to launch an off-line dictionary attack. 1.2

Contribution

In this paper, we consider how to construct an asymmetric password-based key exchange protocol secure in a normal model and secure against the new threat. That is, when the sever long key is uncorrupted, the protocol is secure in the normal model (especially against an off-line dictionary attack); when the server long key is compromised, the adversary of runtime T can break ℓ accounts only with small probability for T < ℓαD where α < 1/2. It is inappropriate to expect the protocol in the latter setting can survive against an off-line dictionary attack; otherwise, the protocol in fact is a secure password-only protocol (regarding the server long private key as part of common reference string) and is inefficient in the literature. We first modify the Bellare-Pointcheval-Rogaway model [2] to capture the conventional security for asymmetric password key exchange in the multi-user setting. Although [6] provided a model for this, we prefer ours since it seems more convenient for security analysis. Then, we propose a new framework for this problem using a tag-based projective hash function (tag-PHF), where tag-PHF is extended from the notion of PHF [10]. We show that our framework is secure in the conventional model. Then, we formulate a new security model for the new threat and call a satisfying protocol 2

persistent. Next, We show that our framework is persistent. The proof relies on our analysis for a novel probability experiment, which is of independent interest. Finally, we realize our framework by modified Kourusawa-Desmedt tag-PHF. This realization has a cost of 4 exps for client and 2 exps for server, where exp is computed modular a prime p. It is worth mentioning that we adopt a recent technique by Jiang et al. [20] for avoiding a group membership checking. Avoiding a group membership verification is important as it usually involves costly modular exponentiations. Notations. For a set S, x ← S samples x from S randomly; A|B means concatenating A with B. We use negl : N → R to denote a negligible function: for any polynomial p(x), limn→∞ negl(n)p(n) = 0. Probability distance of two ensembles A, B over a finite alphabet Ω 1P is defined as dist[A, B] = 2 v∈Ω | Pr[A = v] − Pr[B = v]|. For a ∈ N, define [a] = {1, · · · , a}. For a set S ⊆ R, define ±S = {a, −a | a ∈ S}. PPT means probabilistic polynomial time.

2

Security Model

In this section, we introduce a formal model of security. This model is mainly adopted from Bellare, et al. [2] and [3]. We have modified their model in order to capture the speciality in the setting of asymmetric password key exchange, where the server has a public key and a password while the client only has a password. We also make a simple change to the security quantification in order to capture the attack in [23]. In [19], mutual authentication (MA) are integrated as part of privacy. This seemingly saves the effort to prove MA separately. We adopt this convention as well. The following is a list of notions that will be used in the paper. − D: a password dictionary. For simplicity, we assume it has a uniform distribution and D = {1, · · · , N }. However, our result can be extended to the setting where D does not have this structure or distribution. − Client Ci and Server S: In our setting, the key exchange procedure involves a client Ci and a server S. S has a public key Θ and a private key θ and he also shares a password πi with Ci . The public key Θ is available to all clients. − Πiℓi and ΠSℓS : Πiℓi is a protocol instance li within client Ci . This instance essentially is a new copy of the key exchange protocol executed in Ci . ℓi is unique within Ci . This uniqueness is only to distinguish different instances in Ci . Especially, it is unnecessarily globally unique. ΠSℓS is a protocol instance ℓS within Server S and has a similar interpretation as Πiℓi . In this paper, by a general ΠUℓU , we mean that U is either S or some client i. − F low i : The ith message in the protocol flows. − sidℓUU : the session identifier of a particular instance ΠUℓU , where U is either a client i or server S. This variable is defined for the purpose of security analysis so that if two instances are jointly executing a protocol then they will have the same session id. The definition for sid is clear only when the protocol specification is available. - skUℓU : This is the session key defined by instance ΠUℓU . − pidℓUU : the party, which ΠUℓU assumes that he has been interacting with. - statℓUU : This is the current session state of ΠUℓU . Simply speaking, it is the intermediate data (other than the long term secret) necessary to conduct the remaining execution of ΠUℓU . When ΠUℓU has successfully completed, by default, it is assumed that statℓUU = (U, pidℓUU , skUℓU ). - Client(ΠUℓU ) : For any ΠUℓU , either U or pidℓUU (but not both) is some client i. Hence, it is well-defined if we use Client(ΠUℓU ) to denote this client. 3

Partnering. Two instances ΠUℓU and ΠVℓV are said to be partnered if (1) pidℓUU = V and pidℓVV = U ; (2) sidℓUU = sidℓVV , where U , V is either a server S or some client i. Adversarial Model. Assume there are n clients C1 , · · · , Cn and a Server S. A client Ci will be initialized with a random password πi ∈ D, which is shared with his server S. Server S, besides owning all clients’ passwords, will additionally have a high entropic public key Θ and a private key θ. Θ is also available to all clients. Now we present the adversary model and defines what is called security. Essentially, we allow the adversary to fully control the external network. He can inject, modify, block and delete messages at will. He can also request any session keys adaptively. Formally, the adversarial behaviors are modeled as access to the following oracles. • Execute(i, ℓi , S, ℓS ). When this oracle is called, a protocol execution between Πiℓi and ΠSℓS takes place. At the end of the execution, a complete transcript (messages exchanged between the two instances) is returned. This oracle call models a threat from an eavesdropping attack. Note, literately, it can be replaced by a sequence of Send(d, ·) blow. It is defined separately for convenience of security quantification later, where it is required that Execute queries should not be useful to adversary success. • Send(d, U, ℓU , M ). When this oracle is called, message M is sent to instance ΠUℓU as F lowd . The oracle output is whatever ΠUℓU returns according to the protocol specification. We stress that the oracle response needs to be consistent with Send(d − 2t, U, ℓU , ∗) for all t > 0. By default, when d = 0, M = null. In cases of d = 0 or 1, the instance ΠUℓU should be initialized first. The oracle call reflects a threat from a man-in-the-middle attack. • Reveal(U, ℓU ). This query is allowed only if ΠUℓU has successfully completed. When this oracle is called, it outputs the session key skUℓU . This query reflects the session key loss attack. • Corrupt(i). This is a corrupt query to Ci . Upon this query, his password πi as well as all session states {statℓi i }ℓi in Ci will also be given to adversary. After this query, Ci is no longer active and its action will be replaced by adversary. This query models the break-in attack or insider attack. • Test(U, ℓU ). This query is a security test for session key skUℓU . The adversary is allowed to query it only once. The queried session must have successfully completed. Throughout the game, U and pidℓUU should not be corrupted; ΠUℓU and its partnered instance (if any) should not be issued a Reveal query. When Test oracle is called, it flips a fair coin b. If b = 1, then the session key of ΠUℓU is provided to adversary; otherwise, a random number of the same length is provided. The adversary then tries to output a guess bit b′ . If b′ = b, he will be informed Success; otherwise, Fail. Having defined adversary behavior, we come to define the protocol security. It contains three conditions: correctness, authentication and secrecy. Correctness. If two partnered instances both accept, then they conclude with the same session key except for a negligible probability. Authentication. If an instance ΠUℓU , with U and pidℓUU = V uncorrupted, has successfully completed while there does not exist a partnered instance ΠVℓV for ΠUℓU or such an instance is not unique, then we say authentication is broken, denoted by Non-Auth. For ease of security analysis later, we further specify Non-Auth according to clients. For any ΠUℓU , since Client(ΠUℓU ) is uniquely defined, we can specifically denote the above authentication break by Non-Authi for i = Client(ΠUℓU ). Intuitively, this is a break of authentication at an instance using password πi . 4

Secrecy.

The adversary can succeed in the Test session. Denote this event by Succ.

Note that it is important to properly define the session id sid (hence the partnership) so that we do not classify a secure protocol as insecure. For instance, if we define the complete protocol transcript as the session id, then any protocol is insecure since as long as we hold the last message flow, Non-Auth event always occurs. This problem was noticed in [19]. Now we can summarize a formal definition of security as follows. Definition 1. Let Qi be ♯ of Send(d, U, ℓU , ·) queries such that i = Client(ΠUℓU ). κ is the security parameter. An asymmetric password-based key exchange protocol Ξ is said secure if it satisfies • Correctness. • Authentication.

For any client Ci , i = 1, · · · , n, it holds that Pr[Non-Authi (A)] ≤

Qi + negl(κ). |D|

(1)

• Secrecy. When authentication is not broken, then adversary can succeed in Test query with probability at most negligibly close to 1/2. i.e., Pr[Succ(A) | ¬Non-Auth] < 1/2 + negl(κ).

(2)

where Non-Auth = ∨ni=1 Non-Authi . Pn Remark. Note if Qs is ♯ of Send queries, then Qs = i=1 Qi . Hence, authentication in Qs Definition 1 implies that Pr[Non-Auth(A)] < |D| + negl(κ). This furthermore indicates that Qs + negl(κ), which coincides with the original definition [2]. However, our Pr[Succ(A)] < 1/2 + 2|D| modification has more security impact. Specifically, if A interacts with Server S in the name of Ci (no matter Ci is corrupted or not), it will not change the distribution of other client Cj ’s password πj . In [23], Kolesnikov and Rackoff presents an attack to Halevi and Krawczyk protocol [15,16], where adversary first obtains a transcript tr (two messages) between Ci and S; then he corrupts Cj and obtains πj ; next he, in the name of Cj , communicates with S under the help of tr. The last stage is launched many times and finally it can obtain πi and hence can impersonate Ci successfully. Under our definition, interactions between Cj and S will not reduce the potential space of πi (otherwise, naive guess and impersonation can increase the probability of Non-Auth. However, in our definition, it is negligibly bounded by Qi /|D| and Qi remains unchanged even if Cj (or the adversary in the name of Cj ) has run the protocol with S for many times. We remark that this attack has been considered in the model [6]. But our model seems more convenient for security analysis.

2.1

Persistency against Leakage of Server Long Key

In the asymmetric password-based key exchange, besides a short password, the server additionally owns a private key for a public key. We now formalize the security when this private key gets compromised. This threat is possible, due to cryptanalysis, Trojan Horse virus and a faulty implementation on the public key system. When this occurs, it is desired that the adversary should not be able to quickly break a lot of user accounts. Known protocols [15,16,6] are insecure under this attack since they encrypt the password explicitly and can be decrypted using this private key. 5

One might hope that a secure protocol in this setting can resist an off-line dictionary attack. However, the protocol in this setting is essentially a password-only protocol (regarding a compromised private key as part of common reference string), which is inefficient in the literature. Hence, a proper model should allow an off-line dictionary attack. That is, it is possible that an attacker can crack a password using |D| off-line operations. But he should not able to crack 100 passwords using just a resource of brute force search for one password. This will allow the server to realize the attack safely and respond properly. Numerically, it is desired that to break in ℓ accounts, the attacker must cost O(ℓ|D|) computing resource. If we regard one time unit as a certain password consistency check (determined in the protocol analysis), the security goal in this setting can be semi-formally stated as follows. For any adversary with time T significantly less than ℓ|D|, it can only break ℓ users with probability negligibly bounded by exp(−βℓ), where β is some constant. Here “negligibly bounded” is interpreted as at most exp(−βℓ)+ negl(κ). We should not expect this value to be negligible since ℓ does not necessarily depend on the security parameter κ. Note an off-line dictionary attack in average can break a password using guess and consistency check for |D|/2 times. Thus, for this probability to be small, it is necessary that T < ℓα|D| for some α < 1/2. To formally define the adversary success in this setting, we need to specify what the adversary can do. An immediate answer is to simply adopt the adversary capability in the normal model, where the server long key is uncorrupted. Certainly, this has no security flaw. However, we should keep in mind that our new threat itself is an exception event, many normal threats are no longer likely to occur. Details follow. Test query is to measure the secrecy of a session key. In our setting, a session key secrecy is no longer important or guaranteed since we are only interested in entity authentication. Reveal query is to model the session key loss attack. Again, our exception event does not last long and hence such a threat is unlikely to occur. Corrupt query is of no help since after corrupting a client Ci , the information that adversary obtains is determined by Ci ’s random tape and his password πi , which are independent of the remaining data. Also in this case, server’s action with Ci can be simulated by the adversary himself since he has both πi and θ in hand. Finally, given servery long key, Execute query no long provides nothing to adversary and hence there is no need to separate it from Send query. Therefore, we only need to consider Send queries. Hence, it is desired that with access to Send oracles, any adversary of time T < αℓ|D| for α < 1/2, can only break the authentication with respect to ℓ users with probability negligibly bounded by exp(−βℓ), where β is a constant. Formally, Definition 2. ℓ ∈ N and α < 1/2. Ξ is an asymmetric password-based key exchange protocol, where D is the password dictionary and (Θ, θ) is the server’s public key and private key respectively. Then Ξ is persistent against leakage of θ if for any PPT adversary A of time T < ℓα|D| and with access to Send oracles, Non-Authi occurs to ℓ users with probability negligibly bounded by exp(−βℓ) for some constant β > 0.

3

Tag-Based Hash Proof System

In this section, we introduce a tag-based hash proof system, which is revised from the original hash proof system [10] by mainly introducing a tag. 6

3.1

Subset Membership Problem

A hard subset membership problem essentially is a problem that one can efficiently sample a hard instance in it. Formally, a subset membership problem I is a collection {In }n∈N , where In is a distribution for a random variable Λn that can be sampled in polynomial time: • Generate a finite non-empty set Xn , Ln ⊆ {0, 1}poly(n) s.t. Ln ⊂ Xn , and distribution D(Ln ) over Ln and distribution D(Xn \Ln ) over Xn \Ln . • Generate a witness set Wn ⊆ {0, 1}poly(n) and a NP-relation Rn ⊆ Xn × Wn such that x ∈ Ln if and only if there exists w ∈ Wn s.t. (x, w) ∈ Rn . x ← D(Ln ) can be sampled in polynomial time w and the sampling procedure also outputs a witness w ∈ Wn s.t. (x, w) ∈ Wn . We use x ← D(Ln ) to denote this procedure and omit w when it is not of a concern. Further, x ← D(Xn \Ln ) can be sampled in polynomial time too. Finally denote Λn = hXn , Ln , Wn , Rn , D(Ln ), D(Xn \Ln )i. I = {In }n∈N is called a hard subset membership problem if for hXn , Ln , Wn , Rn , D(Ln ), D(Xn \Ln )i ← In and x ← D(Ln ) and y ← D(Xn \Ln ), x and y are indistinguishable. 3.2

Tag-based Projective Hash Function

Let Λ = hX, L, W, R, D(L), D(X\L)i be sampled from a hard subset membership problem In . Consider a tuple Ψ = hH, K, X, L, G, S, αi, where G, S, K are finite, non-empty sets, H = {Hk (·, ·) | k ∈ K} is a set of hash functions from X × {0, 1}∗ to G and α : K → S is a deterministic function. K is called a key space, k ∈ K is called the projection key; S is called the projection space for α. Ψ is called a tag-based projective hash function (tag-PHF) for Λ, if Hk (z, x) for x ∈ L and tag z ∈ {0, 1}∗ , is uniquely determined by α(k), z, x. It is called an efficient tag-PHF, if α(k) and Hk (z, x) are both polynomially computable for given (k, x, z) and if Hk (z, x) can be also polynomially computable using x, w, α(k), z where (x, w) ∈ R. In this paper, by tag-PHF, we mean an efficient tag-PHF. The following notion of computational universal2 is slightly revised from [17], which in turn is extended from the notion of universal2 by relaxing the statistical indistinguishability to the computational indistinguishability. Definition 3. Λ = hX, L, W, R, D(L), D(X\L)i ← In , where {In }n is a hard subset membership problem. Ψ = hH, K, X, L, G, S, αi is a tag-based projective hash function for Λ. Ψ is computational universal2 if any PPT A only has a negligible advantage in the following game. Sample k ← K and provide (desc(Ψ ), α(k)) to A, where desc(Ψ ) is the description of Ψ . - A can issue a (z, x) ∈ {0, 1}∗ × X to an Evalu oracle, where oracle Evalu is defined as follows. It checks if x ∈ L (maybe in exponential time). If yes, return Hk (z, x); otherwise ⊥. - Throughout the game, A can come up with distinct pairs (z1 , x1 ) and (z2 , x2 ) (may not at the same time or in this order) where x1 , x2 ∈ X\L, z1 , z2 ∈ {0, 1}∗ . For query (z1 , x1 ), he receives Hk (z1 , x1 ); for query (z2 , x2 ), he receives Kb , where b ← {0, 1}, K0 = Hk (z2 , x2 ) and K2 ← G. After issuing these two queries, A can still query any (z, x) to Evalu (recall x1 , x2 6∈ L and hence no restriction on (z, x)). At the end of game, A outputs a guess bit b′ for b. He succeeds if b′ = b. 7

3.3

MAC-CU2 Lemma

Let {Iκ }κ be a hard subset membership problem. Λ = hX, L, W, R, D(L), D(X\L)i ← Iκ and Ψ = hH, K, X, L, G, S, αi is a tag-based projective hash function for Λ, where G = {0, 1}2κ . Take k ← K as the private key and define pk = (α(k), desc(Ψ )) as the public key. Let MAC : {0, 1}∗ → {0, 1}κ be a message authentication code with key space {0, 1}κ . Consider the following game between a PPT adversary A and a challenger, where A receives pk and challenger has k. Let Θ = {} and c ← {0, 1}. w

• Challenge Query. A can query with a tag z. Challenger takes x ← L, lets (a0 , s0 ) = Hk (z, x), (a1 , s1 ) ← {0, 1}2κ . Return (x, ac , sc ) and update Θ = Θ ∪ {(z, x, ac , sc )}. • Compute Query. A can query with (z, x, σ, m). If (z, x, a′ , s′ ) ∈ Θ for some a′ , s′ , let a = a′ , s = s′ ; otherwise, let (a, s) = Hk (z, x). If σ = MACa (m), return (a, s); otherwise ⊥. At the end of the game, A outputs a guess bit c′ for c. Denote this game by ℜ. We have the following lemma. Since the proof is similar to F -indistinguishability [20], we put it in Appendix A. Lemma 1. [MAC-CU2 Lemma] {Iκ }κ is a hard subset membership problem and Ψ is computational universal2 and MAC is existentially unforgeable, Adv(A, ℜ) = negl(κ).

4

Red Ball Experiment

We consider a probabilistic experiment: there are n boxes. Each box contains a identical balls except that one of them is colored red while the remaining a − 1 balls are colored white. Algorithm A adaptively draws t balls from these boxes. Each time it chooses a box and then draws a ball from this box without replacement, which is distributed uniformly random. Let ℓ ∈ {1, · · · , n}. We A (a , · · · , a ) to denote the success probability that algorithm A draws t balls (from these use Θt,n,ℓ 1 n boxes), ℓ of which happen to be red, where box i has contains ai balls including one red. When the red ball in the box is taken, set ai =0 since A knows all are white in this box and does not need to A (a , · · · , a ). It is easy to see draw any ball from it any more. Let Θt,n,ℓ (a1 , · · · , an ) = maxA Θt,n,ℓ 1 n ′ ′ that for any permutation (a1 , · · · , an ) of (a1 , · · · , an ), Θt,n,ℓ (a1 , · · · , an ) = Θt,n,ℓ (a′1 , · · · , a′n ). Lemma 2. If 1 ≤ a1 ≤ a2 ≤ . . . ≤ an , 0 ≤ ℓ ≤ n, t ≥ 0, then  Θt,n,ℓ (a1 , a2 , a3 , · · · , an ) = Pr x1 + x2 + · · · + xℓ ≤ t :

 xi ← [ai ] .

(3)

Proof. Use Lef t and Right to denote the left and right side of Eq. (3) respectively. First of all, we show Lef t ≥ Right by presenting an algorithm A0 achieving Right. A0 simply draws the ball from Box 1 until the red ball is picked. Then, he turns to Box 2 using the same strategy, then Box 3, · · · . If he draws the red ball from Box ℓ before using up t picks, he succeeds; otherwise, he fails. Assume the red ball in Box i is placed at the xi position for xi ← [ai ]. Then the success probability of A0 is exactly the right side of Eq. (3). It remains to show that Lef t ≤ Right. When ℓ = 0, the conclusion holds trivially since both sides are 1. Assume ℓ ≥ 1. When n = 1, two sides of Eq. (3) equal min{t/a1 , 1} for the (only) case ℓ = 1. For n ≥ 2 and ℓ ≥ 1. we use induction on t. Note Θt,n,ℓ (a1 , · · · , an ) can always be achieved 8

by a deterministic algorithm. Hence, we assume a deterministic A achieves it. When t = 0, two sides of Eq. (3) are zero. The conclusion holds trivially. When t = 1, assume the first box chosen by A is j. Then Θ1,n,ℓ (a1 , · · · , an ) =a−1 j · Θ0,n,ℓ−1 (a1 , · · · , aj−1 , 0, aj+1 , · · · , an )

+ (1 − a−1 j )Θ0,n,ℓ (a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an )

=a−1 j · Θ0,n−1,ℓ−1 (a1 , · · · , aj−1 , aj+1 , · · · , an )

+ (1 − a−1 j )Θ0,n,ℓ (a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an )

If ℓ = 1, then this gives Θ1,n,ℓ (a1 , · · · , an ) = a−1 ≤ a−1 1 , which is right side of Eq. (3). The j conclusion holds in this case. If ℓ ≥ 2, we have Θ1,n,ℓ (a1 , · · · , an ) = 0 since Θ0,n−1,ℓ−1 (a1 , · · · , aj−1 , aj+1 , · · · , an ) = 0 and Θ0,n,ℓ (a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an ) = 0. On the other hand, x1 + · · · + xℓ ≥ ℓ > 1. Thus, the right side of Eq. (3) is 0 too. So the conclusion holds in this case too. Now assume the conclusion holds for t − 1, which implies Lef t = Right for t − 1 since Lef t ≥ Right is proven at the beginning. We consider t (t ≥ 2). Assume the first box chosen by A is j. Then, Θt,n,ℓ (a1 , · · · , an ) =a−1 j · Θt−1,n,ℓ−1 (a1 , · · · , aj−1 , 0, aj+1 , · · · , an )

+ (1 − a−1 j )Θt−1,n,ℓ (a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an )

=a−1 j · Θt−1,n−1,ℓ−1 (a1 , · · · , aj−1 , aj+1 , · · · , an )

+ (1 − a−1 j )Θt−1,n,ℓ (a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an )

There are two cases. Case aj = 1: In this case, Θt,n,ℓ (a1 , · · · , an ) = Θt−1,n−1,ℓ−1 (a1 , · · · , aj−1 , aj+1 , · · · , an ). Assume ∗ ∗ a1 , · · · , aℓ−1 be ℓ − 1 smallest numbers among {a1 , · · · , an }\{aj }. By induction,  Pℓ−1 ∗  Θt−1,n−1,ℓ−1 (a1 , · · · , aj−1 , aj+1 , · · · , an ) = Pr x∗i ← [a∗i ] . i=1 xi ≤ t − 1 : If j > ℓ, then a1 = · · · = aℓ = 1 as a1 ≤ a2 ≤ · · · ≤ an . Hence, (a∗1 , · · · , a∗ℓ−1 ) equals (a1 , · · · , aℓ−1 ). Therefore,  Pℓ−1 ∗   Pℓ−1  Pr x∗i ← [a∗i ] = Pr xi ← [ai ] . Since aℓ = 1, it follows i=1 xi ≤ t − 1 : i=1 xi ≤ t − 1 : that xℓ =   Pℓ  P1ℓ−1for xℓ ← [aℓ ]. So Pr xi ← [ai ] = Pr xi ← [ai ] . The induction holds in this i=1 xi ≤ t − 1 : i=1 xi ≤ t : case. If j ≤ ℓ, then {a∗1 , · · · , a∗ℓ−1 } = {a1 , · · · , aj−1 , aj+1 , · · · , aℓ }. Hence,  Pℓ−1 ∗  P  Pr x∗i ← [a∗i ] = Pr xi ≤ t − 1 : xi ← [ai ] i=1 xi ≤ t − 1 : 1≤i≤ℓ,i6 = j  Pℓ  = Pr xi ← [ai ] , i=1 xi ≤ t : where the last ‘=’ holds since aj = 1 and hence xj = 1 holds always. Hence, the induction holds in this case too. Case aj > 1 and j > ℓ: In this case, {a1 , · · · , aℓ−1 } are ℓ−1 smallest numbers in {a1 , · · · , an }\{aj }. By induction assumption on t − 1, we have (a1 , · · · , aj−1 , aj+1 , · · · , an ) a−1 j · Θt−1,n−1,ℓ−1  Pℓ−1  −1 = aj · Pr xi ← [ai ] i=1 xi ≤ t − 1 : 9

In addition, if aj > aℓ , {a1 , · · · , aℓ } are ℓ smallest numbers in {a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an }. Hence, (a , · · · , aj−1 , aj − 1, aj+1 , · · · , an ) (1 − a−1 j )Θt−1,n,ℓ  Pℓ 1  −1 = (1 − aj ) · Pr xi ← [ai ] i=1 xi ≤ t − 1 :

Therefore, in Eq. (3), we have that Right − Lef t equals

ℓ−1 ℓ ℓ X X X −1 xi ≤ t − 1] x ≤ t − 1] − a · Pr[ xi = t] + a−1 · Pr[ Pr[ i j j i=1

i=1

i=1

(4)

Pℓ−1

We will show that Right − Lef t ≥ 0. We split event i=1 xi ≤ t − 1 into two sub-events A : Pℓ−1 Pℓ−1 (t − 1 ≥) i=1 xi ≥ t − aℓ and B : i=1 xi ≤ t − 1 − aℓ . Note in case of event A, there exists Pℓ−1 P P xi = t. Hence, Pr[ ℓi=1 xi = t] − Pr[A] ≥ Pr[ ℓi=1 xi = t ∧ xℓ = 1 ≤ x∗ℓ ≤ aℓ such that x∗ℓ + i=1 −1 −1 x∗ℓ ] − a−1 j Pr[A] = aℓ Pr[A] − aj Pr[A] ≥ 0. In case of event B, since xℓ ≤ aℓ always holds, P ℓ −1 a−1 j Pr[B] ≤ aj Pr[ i=1 xi ≤ t − 1]. Hence, Right ≥ Lef t holds in this case. If aj ≤ aℓ , then aj = aℓ since by assumption aj ≥ aℓ for j > ℓ holds always. In this case, {a1 , · · · , aℓ−1 , aℓ − 1} are ℓ smallest numbers among {a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an }. Hence, (1 − a−1 (a , · · · , a , a − 1, aj+1 , · · · , an ) j )Θt−1,n,ℓ  ∗ 1Pℓ−1 j−1 j  = (1 − a−1 ) · Pr x + i=1 xi ≤ t − 1 : xi ← [ai ], x∗ℓ ← [aℓ − 1] ℓ ℓ  Paℓ −1  ∗ Pℓ−1 = (1 − a−1 ) · u=1 Pr xℓ + i=1 xi ≤ t − 1 ∧ x∗ℓ = u : xi ← [ai ], x∗ℓ ← [aℓ − 1] ℓ  Paℓ −1  Pℓ−1 xi ≤ t : xi ← [ai ], i < ℓ = a−1 Pr u + 1 + i=1 u=1 ℓ ·   P P ℓ ℓ −1 = au=1 Pr i=1 xi ≤ t ∧ xℓ = u + 1 :  xi ← [ai ], i ≤ ℓ  Pℓ = Pr xi ← [ai ] i=1 xi ≤ t ∧ xℓ > 1 :

On the other hand, a−1 j · Θt−1,n−1,ℓ−1 (a1 , · · · , aj−1 , aj+1 , · · · , an ) equals a−1 ℓ · Pr

ℓ−1 X i=1

xi ≤ t − 1 :

ℓ  X xi ≤ t ∧ xℓ = 1 : xi ← [ai ] = Pr i=1

 xi ← [ai ]

Combining the above two equations, we conclude the result in this case. Case aj > 1 and j ≤ ℓ: In this case, {a1 , · · · , aℓ }\{aj } are ℓ − 1 smallest numbers among {a1 , · · · , an }\{aj }. By induction assumption on t − 1, we have a−1 (a1 , · · · , aj−1 , aj+1 , · · · , an ) j · Θt−1,n−1,ℓ−1 P  = a−1 · Pr xi ← [ai ] j P 1≤i≤ℓ,i6=j xi ≤ t − 1 :  = Pr xi ← [ai ] 1≤i≤ℓ xi ≤ t ∧ xℓ = 1 :

Note {a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , aℓ } are the ℓ smallest in {a1 , · · · , aj−1 , aj − 1, aj+1 , · · · , an }. Hence, (1 − a−1 (a , · · · , aj−1 , aj − 1, aj+1 , · · · , an ) j )Θt−1,n,ℓ  ∗ 1 Pℓ  −1 = (1 − aj ) · Pr xj + i=1 xi ≤ t − 1 : xi ← [ai ], x∗j ← [aj − 1]  Paℓ −1  ∗ Pℓ−1 = (1 − a−1 ) · u=1 Pr xℓ + i=1 xi ≤ t − 1 ∧ x∗ℓ = u : xi ← [ai ], x∗j ← [aj − 1] j  P ℓ −1  Pℓ−1 = a−1 · au=1 Pr u + 1 + i=1 xi ≤ t : xi ← [ai ] j  P ℓ −1  Pℓ = au=1 Pr i=1 xi ≤ t ∧ xℓ = u + 1 :  xi ← [ai ]  Pℓ xi ← [ai ] = Pr i=1 xi ≤ t ∧ xℓ > 1 : 10

Combining the above two equations, we conclude the result in this case. As a summary, the induction holds for all cases. This completes the proof.



Theorem 1. Let t < αℓa for α < 0.5. Then, Θt,n,ℓ (a, · · · , a) < exp(−2(0.5 − α)2 ℓ). Proof. By Lemma 2, Θt,n,ℓ (a, · · · , a) equals Pr[x1 + · · · + xℓ ≤ t]

∗

Pℓ

xi

a 2 ≤ 2 2 exp(−2δ ℓ/a ),

= Pr[

i=1

ℓ

−

−( a2 − ℓt )]

≤ δ= 2 ≤ exp(−2(0.5 − α) ℓ),

a 2

where inequality (∗) holds since E[xi ] =

5

−

a 2

t ℓ

> (0.5 − α)a since t < aℓα for α < 1/2

and the Hoefding inequality.



Our PAKE Framework

We now introduce our client-server password key exchange framework. Let I = {Iκ }κ be a hard subset membership problem and Λ = (X, L, W, R, D(L), D(X\L)) ← Iκ . Sample a tag-based projective hash family Ψ = (H, K, X, L, G, S, α) for Λ, where G = {0, 1}2κ . D = {1, · · · , N } is the set of all possible passwords with uniform distribution. Note the special structure {1, · · · , N } can be waived by first applying a collision-resistent hashing from {0, 1}∗ to {0, · · · }ℓ for a properly chosen ℓ and all our results in the remaining sections will hold. We say T, T∗ : D × X → X are a regular transformation pair if they satisfy the following. R-0. T(π, x) and T∗ (π, x), for π ∈ D and x ∈ X, are both polynomially computable. R-1. T(π, ·) and T∗ (π, ·) are permutations over X, indexed by π ∈ D. Further, T∗ (π, T(π, x)) = x for any π ∈ D and x ∈ X. In other words, T∗ (π, ·) is the inverse function of T(π, ·) for any fixed π ∈ D. R-2. For any y ∈ X, there exists at most one π ∈ D such that T∗ (π, y) ∈ L. MACk : {0, 1}∗ → {0, 1}κ is a secure message authentication code. The setup is as follows. For the server S, take θ ← K and compute Θ = α(θ). θ will be the private key for S and Θ will be his public key. Θ is known to all clients. For each client Ci , take πi ← D as the password for Ci , shared with S. Ci stores Θ publicly and πi secretly. S stores πi , θ secretly and Θ publicly. The key exchange protocol between S and Ci is carried out as follows (see Fig. 1 for interpretation). w

1. Ci samples x ← D(L). Then he uses πi to compute y = T(πi , x), computes (k0 , k1 ) = Hθ (i, x) using w, x, Θ, and generates τ0 = MACk0 (Ci |S|y). Finally, he sends Ci |y|τ0 to server S. Ci ’s session state stat is updated as stat = Ci |S|y|k0 |k1 . 2. Receiving Ci |y|τ0 , server S uses πi to de-transform y back to x = T∗ (πi , y), computes (k0′ , k1′ ) = ?

Hθ (i, x) using (θ, x). He then verifies whether τ0 = MACk0′ (Ci |S|y). If no, reject; otherwise, he takes ζ ← {0, 1}κ and computes τ1 = MACk0′ (ω|1) for ω = Ci |S|y|ζ. Finally, he sends S|τ1 |ζ to Ci . S’s session state stat is updated as stat = Ci |S|y|ζ|k0′ |k1′ . ?

3. Receiving S|τ1 |ζ, client Ci verifies whether τ1 = MACk0 (ω|1) for ω = Ci |S|y|ζ. If no, reject; otherwise, he computes and sends τ2 = MACk0 (ω|2) to S and finally outputs session key sk = k1 . Ci ’s session state stat is updated as stat = Ci |S|sk. 11

Ci (πi )

S(πi , θ) ∗

x = T (πi , y), ζ ← {0, 1}κ (k0′ , k1′ ) = Hθ (i, x) using θ

w

x ← D(L), y = T(πi , x) (k0 , k1 ) = Hθ (i, x) using w τ0 = MACk0 (Ci |S|y)

C i | y | τ0

/

?

ω = Ci |S|y|ζ, τ1 = MACk0 (ω|1) τ2 = MACk0 (ω|2), output sk = k1

?

τ0 = MACk0′ (Ci |S|y) ω = Ci |S|y|ζ, τ1 = MACk0′ (ω|1)

S | τ1 | ζ

o τ2

? / τ2 = MACk0′ (ω|2), output sk = k1′

Fig. 1. Our Key Exchange Framework HPS-PAKE (details in the bodytext)

?

4. Receiving τ2 , Server S verifies whether τ2 = MACk0′ (ω|2). If no, reject; otherwise, output session key sk = k1′ . S’s session state stat is updated as stat = Ci |S|sk. Remark. We outline how to prevent some attacks to help understand the protocol. But they should not be regarded as an attempt for a security proof. (1) against impersonation attack. If attacker impersonates Ci to generate and send F low1 = Ci |y|τ0 to S, then since he does not know πi and hence T∗ (πi , y) ∈ L with probability 1/|D|. When x := T∗ (πi , y) 6∈ L, τ0 will be rejected since (k0 , k1 ) = Hθ (i, x) appears random to the attacker. Thus, the impersonation has a n¨ aive success probability 1/|D|. (2) against Attack [23,6]. When an attacker eavesdrops a transcript tr = Ci |y|τ0 |S|τ1 |ζ|τ2 , he corrupts Cj and executes the protocol with S in the name of Cj using tr as a help. Toward this, he might generate F low1 = Cj |y|τ0∗ such that τ0∗ = MACk0∗ (Cj |S|y) which is modified from τ0 = MACk0 (Ci |S|y). Conceivably, the attacker might succeed if a related key attack to MAC is possible. We notice that k0∗ is from (k0∗ , k1∗ ) := Hθ (j, x∗ ) while (k0 , k1 ) := Hθ (i, x) where x∗ = T∗ (πj , y). No matter πj = πi or not, it holds that (i, x∗ ) 6= (j, x) as i 6= j (this is the main reason we use tag-HPS instead of HPS in our construction). We claim that k0∗ and k0 are computationally independent. This is true for the case x 6∈ L, by computational universal2 definition. Although in our protocol x ∈ L, this computational independency still holds; otherwise, one can reduce to break the hardness of L. Therefore, τ0 (even k0 ) does not provide any help to the attacker for generating a valid τ0∗ (unless MAC is insecure). That is, no matter πi = πj or not, F low1∗ by Cj using F low1 of Ci is always rejected. Hence, F low1 is not useful to Cj . (3) session key secrecy. The session key sk = k1 is computed by (k0 , k1 ) = Hθ (i, x). Client Ci can compute this since he knows the witness w of x ∈ L and server S can compute this since he knows πi (for recovering x from y) and θ for (k0 , k1 ). Any outsider can not compute (k0 , k1 ) since given x and Θ, Hθ (i, x) is indistinguishable from random, which is implied by MAC-CU2 Lemma.

6

Security

In this section, we prove the security of our protocol. Before this, we define the session id in the protocol as sidℓUU = Ci |S|y|ζ, where U is the client i or server S. Since the password πi for Ci and S and θ are both fixed after the system initiation, Hθ (i, x) is determined for given Ci |S|y. Hence, two 12

partnered parties must have the same session key. It remains to consider the authentication and secrecy, which we will prove using a single game-hopping process and then analyze these properties separately in the final game. Theorem 2. I = {Iκ }κ is a hard subset membership problem. MAC : {0, 1}∗ → {0, 1}κ is an existentially unforgeable message authentication code. Ψ is computational universal2 for I. (T, T∗ ) is a regular transformation pair. Then HPS-PAKE is secure. Proof. We modify the security game Γ rea into a sequence of games Γ0 (= Γ rea), Γ1 , Γ2 such that any adversary view (hence event Non-Authi or Succ as they are in the adversary view) between each neighboring pair are negligibly close. For simplicity, we will regard Execute query as a result of 4 Send queries (i.e., Send(d, ·), d = 0, 1, 2, 3) and later will remove its effect on these events by analyzing these special Send queries. For simplicity, our proof always assumes the Normal condition on D(L): sampling x ← D(L) never repeats the same x (from the hardness of I, this condition is violated negligibly). Game Γ1 . We modify Γ0 to Γ1 with the following differences. Send(0, i, ℓi , null) oracle defines (k0 , k1 ) ← {0, 1}2κ (instead of (k0 , k1 ) = Hθ (i, x)). Simulator maintains a list Q by adding (i, y, k0 , k1 ) into it. Toward consistency, Send(1, S, ℓS , Ci |y|τ0 ) executes as follows. It first check whether (i, y, u0 , u1 ) ∈ Q for some (u0 , u1 ). If no, process normally using θ; otherwise, define (k0′ , k1′ ) = (u0 , u1 ) and proceed normally. Lemma 3. View(A, Γ0 ) ≈ View(A, Γ1 ). Proof. If the views of A are distinguished by D, we construct adversary B to violate MAC-UC2 Lemma. Upon desc(Ψ ), Θ = α(θ), B simulates Γ0 as follows. Let Q = {}. Send(0, i, ℓi , null). Upon this query, B issues a Challenge query with tag i and in turn receives (x, ac , sc ). He defines (k0 , k1 ) = (ac , sc ) and normally finishes the simulation in this query. Finally, he define stateℓi i = Ci |S|y|k0 |k1 and update Q = Q ∪ {(i, y, k0 , k1 )}. Note in this case, the challenger of B will update his list Ω = Ω ∪ {i, x, k0 , k1 }.

Send(1, S, ℓS , Ci |y|τ0 ). Upon this query, compute x = T∗ (πi , y). Then, he issues Compute query (i, x, τ0 , Ci |S|y). In turn, he will receive (a, s). If (a, s) =⊥, he rejects; otherwise, define (k0′ , k1′ ) = (a, s) and finishes the remaining simulation in this query normally. In the later case, also update statℓSS = Ci |S|y|ζ|k0′ |k1′ . Note if x was generated in Send(0, i, ·), then (i, x, ac , sc ) ∈ Ω. In this case, the simulation is consistent with Γc : if τ0 = MACac (Ci |S|y), then Compute oracle returns (a, s) = (ac , sc ); otherwise, it returns (a, s) =⊥ (and B will correctly reject τ0 ). If x is not generated in Send(0, i, ·) (note it could be generated by Client i′ 6= i), then (i, x, ∗, ∗) 6∈ Ω and hence τ0 will be verified by the challenger of B using (k0 , k1 ) = Hθ (i, x) computed using θ. In this case, (a, s) =⊥ if τ0 is invalid; (a, s) = (k0 , k1 ) otherwise. Hence, the simulation in this setting is perfectly consistent with both Γ0 and Γ1 . As a summary, the simulation in this oracle is perfectly consistent with Γc . Send(2, i, ℓi , S|ζ|τ1 ) Upon this case, use statℓi i to simulate normally. Finally, if τ1 is accepted, update statℓi i = Ci |S|k1 .

Send(3, S, ℓS , τ2 ) Upon this case, use statℓSS to simulate normally. Finally, if τ2 is accepted, update statℓSS = Ci |S|k1′ . Reveal(U, ℓU ) and Test(U, ℓU ). This occurs only when ΠUℓU is successfully completed. In this case, as seen above, skUℓU is well defined in statℓi i . Hence, the simulation is normal. 13

Corrupt(i) As seen above, statℓi i is well defined and πi is known. Hence, the simulation is normal. From the description of B, we can see that when challenge bit c = 0, the simulated game by B is Γ0 ; otherwise, it is Γ1 . Hence, the distinguishability between Γ0 and Γ1 implies violating MAC-UC2 Lemma.  Game Γ2 . We modify Γ1 to Γ2 , except the following. In Send(0, i, ℓi , null), x ← X (instead of x ← L). Note since w is not used in the simulation of Γ1 , no further change is required toward the consistency with this modification. By simply reducing to hardness of L, we have Lemma 4. View(A, Γ1 ) ≈ View(A, Γ2 ). We analyze Γ2 . Recall that, in Send(1, S, ℓS , Ci |y|τ0 ), when (i, y, ∗, ∗) 6∈ Q, the simulator will compute (k0′ , k1′ ) = Hθ (i, x) and verify τ0 with k0 . We consider a Bad event in Γ2 : (i, y, ∗, ∗) 6∈ Q and T∗ (πi , y) 6∈ L but τ0 is valid. We show Lemma 5. Pr[Bad(Γ2 )] = negl(κ). Proof. Assume the lemma is not true. Let an irregular query be a Send(1, S, ℓS , Ci |y|τ0 ) query where (i, y, ∗, ∗) 6∈ Q and T∗ (πi , y) 6∈ L. Let ♯ of irregular queries be bounded by ν. Use Badi to represent the event: the ith irregular query is the first Bad event. Note when Bad occurs, there must exist i such that the ith irregular query is a Badi event. We now construct an adversary A′ to break the computational universal2 property of Ψ. Upon desc(Ψ ), Θ, A′ takes t ← {1, · · · , ν} and initializes πi for each Ci and simulates Γ2 , except when he needs to use θ, which is one of the following scenarios (especially note (k0 , k1 ) in Send(0, ·) is taken randomly in {0, 1}2κ without using θ). (1) S is corrupted and θ should be given to A. This will not occur since we assume S is uncorrupted; (2) in Send(1, S, ℓS , Ci |y|τ0 ), A′ will use θ to compute (k0′ , k1′ ) in case of (i, y, ∗, ∗) 6∈ Q. In this case, A′ can compute x = T∗ (πi , y) and query his Evalu oracle to compute Hθ (i, x). When x ∈ L, he will receive Hθ (i, x); when x 6∈ L, he will receive ⊥ . For the former case, he proceeds normally; for the latter case, it is an irregular query. If this is the jth irregular query for j < t, then he rejects τ0 ; if it is the tth irregular query, he issues (i, x) as a challenge query, in turn he will receive (ac , sc ) for challenge bit c. If τ0 = MACac (Ci |S|y), he outputs 0; otherwise 1. First of all, when c = 1, ac is independent of the adversary view prior to the current query, by unforgeability of MAC, τ0 = MACa1 (Ci |S|y) holds negligibly only. We ignore this tiny probability. When c = 0 and t is correct, the adversary view till the current query is identical to his view in Γ2 . In this case, validity of τ0 is a Badt event, in which A′ must output 0. Since Badt event implies that τ0 is valid and that upon such an event the simulation by A′ prior to the tth irregular query is identical to Γ2 . When c = 0 and t is not correct but τ0 in the t irregular query is valid (i.e., τ0 in some ith irregular query for i < t is mistakenly rejected), A′ still outputs 0. ′ ′ 3 )] − negl(κ), Hence, | Pr[A Evalu(0,·) = 0]− Pr[A Evalu(1,·) = 0]| ≥ Pr[Badt (Γ3 )]− negl(κ) ≥ Pr[Bad(Γ ν non-negligible, contradiction! Note here we use the fact that when t is random (instead of a fixed value), Pr[Badt (Γ3 )] = Pr[Bad(Γ3 )]/ν.  By Lemma 5, we now can assume that Bad event never occurs. ℓ∗

Lemma 6. If initiator Πi i accepts F low2∗ = S|ζ ∗ |τ1∗ , there must exist a unique partnered instance ℓ∗ ΠSS . ℓ∗

Proof. Recall that sidi i = Ci |S|y ∗ |ζ ∗ . Since S will not sample the same ζ ∗ twice, except for a ℓ∗ negligible probability (which we ignore), it follows that the number of partnered instance ΠSS 14

ℓ∗

ℓ∗

for Πi i is at most one. It suffices to prove the existence of such ΠSS . If it does not exist, we ℓ∗

show MAC is forgeable. Assume stati i after sending F low1 is Ci |S|y ∗ |k0∗ |k1∗ . Then, reviewing the ′ definitions of oracles in Γ2 , besides computing MACk0∗ () function, k0∗ (and its identical copy k0∗ ) ℓ∗

will be used only in the following scenarios before Πi i verifies F low2∗ : k0∗ is revealed due to the corruption of Ci (note S is uncorrupted), which is impossible since a corrupted party is controlled by A and so Send(2, i, ℓ∗i , F low2∗ ) query would not have occurred). Hence, prior to verifying F low2 ℓ∗ by Πi i , Γ2 uses k0∗ only for evaluating MACk0∗ (). To reduce to the unforgeability of MAC, it suffices ℓ∗

to show that prior to verifying F low2∗ in Πi i , the simulator never evaluates MACk0∗ () with input Ci |S|y ∗ |ζ ∗ |1. Otherwise, since τ0 , τ1 , τ2 have different input formats, this evaluation must be done by S in Send(1, S, ℓS , ·) for some ℓS , which already implies that Πsℓs is partnered with Ci , contradiction  to our assumption. Thus, validity of τ1∗ implies breaking the unforgeability of MAC. ℓ∗

Lemma 7. Assume pidSS (:= Ci ) is not corrupted. If (i, y ∗ , ·, ·) ∈ Q holds in the simulation of Send(1, S, ℓ∗S , Ci |y ∗ |τ0∗ ) oracle and subsequently Send(3, S, ℓ∗S , τ2∗ ) accepts τ2∗ , then there must exist ℓ∗ ℓ∗ a unique partnered Πi i for ΠSS . ℓ∗

Proof. ♯ of such Πi i is at most one, by Normal condition on x. It suffices to prove the existence of ℓ∗ Πi i . Assume this is not true. By assumption, in Send(1, S, ℓ∗S , Ci |y ∗ |τ0∗ ), it holds that (i, y ∗ , k0∗ , k1∗ ) ∈ Q for some k0∗ , k1∗ and it also holds that τ0∗ = MACk0∗ (Ci |S|y ∗ ) (otherwise, τ0∗ in F low1 was rejected ℓ∗

and it would be impossible for ΠSS to verify and accept τ2∗ ). Hence, the fact that (i, y ∗ , k0∗ , k1∗ ) was ℓ∗ recorded in Q implies that Πi i for some ℓ∗i must have sampled x = T∗ (πi , y ∗ ). By Normal condition, ℓ∗ ℓ∗ ℓ∗ ℓ∗ Πi i is the only instance that samples this value. Since Πi i is not partnered with ΠSS , Πi i does ℓ∗

not compute MACk0∗ () with input Ci |S|y ∗ |ζ ∗ |2, where ζ ∗ is generated by ΠSS . As in the previous lemma, k0∗ is only used in evaluating MACk0∗ (). To prove the lemma, it suffices to show that the simulator never evaluates MACk0∗ () with input Ci |S|y ∗ |ζ ∗ |2. Otherwise, it must be computed by an instance Πiℓi in Ci in generating F low3 (recall inputs for τ0 , τ1 , τ2 have different formats). Hence, ℓ∗ since Ci |S|y ∗ implies Πiℓi samples x = T∗ (πi , y ∗ ). It follows that ℓi = ℓ∗i , contradicting that Πi i ℓ∗ ℓ∗ is not partnered with ΠSS . Hence, if Πiℓi does not exist, then ΠSS ’s accepting τ2∗ implies a MAC forgery, contradicting MAC security!  Lemma 8. Recall Succ be the success of A in the test session. Then, Pr[Succ | ¬Non-Auth] = 1/2 in Γ2 . ℓ∗

ℓ∗

ℓ∗

Proof. Let ΠUU be the test instance and pidUU = V . Let sidUU = CJ |S|y ∗ |ζ ∗ . Then, {U, V } = {J, S}. ℓ∗

ℓ∗

If U = J, then V = S and (by Lemma 6) there is the unique partnered ΠSS for ΠJJ . If U = S, ℓ∗

ℓ∗

ℓ∗

then V = J. In this case, if it does not exist a partnered ΠJJ in CJ for ΠSS , then ΠSS ’s accepting ℓ∗

ℓ∗

τ2∗ implies Non-AuthJ event. Hence, under ¬Non-Auth event, there is a partnered ΠJJ for ΠSS and by Normal condition it is unique. So in any case, conditional on ¬Non-Auth, there is a uniquely ℓ∗ ℓ∗ partnered ΠVV for ΠUU . Let (k0∗ , k1∗ ) be the uniformly random keys defined to replace Hθ (J, x∗ ) where x∗ = T∗ (πJ , y ∗ ). Let b ∈ {0, 1}, α1 ∈ {0, 1}κ be the randomness in Test oracle. We notice ℓ∗ ℓ∗ that in Γ2 , skUU = k1∗ is taken uniformly random from {0, 1}κ . Let α0 = skUU . Let the randomness in the whole game for Γ2 , except k1∗ , b, α1 , be denoted by r. Use Viewt (A) to denote the adversary view after the tth query. Then to prove the lemma, it suffices to show that Viewt (A) for each t is 15

deterministic in r, αb . We actually also show that {statℓi i }(i,ℓi )6=(J,ℓ∗J ),(S,ℓ∗S ) is also deterministic in r, αb . Initially, View0 (A) is public parameters and the conclusion trivially holds. Assume it is true for t − 1 queries. Consider query t. Send(0, i, ℓi , null). The randomness in sampling x and the randomness for k0 is from r. Hence, Ci |y|τ0 is deterministic in Viewt−1 (A) and the randomness r. statℓi i = Ci |S|y|k0 |k1 . When (i, ℓi ) 6= (J, ℓ∗J ), k1 is determined by r. Hence, the conclusion holds after this query.

Send(1, S, ℓS , Ci |y|τ0 ). The simulator will first check (i, y, ∗, ∗) ∈ Q. If yes, extract k0 from it and proceed normally (with randomness r if used). If no, compute (k0′ , k1′ ) = Hθ (i, x) for x = T∗ (πi , y) and proceed normally. Notice the component (i, y, k0 ) in a record from Q is computed using the randomness r; ζ is generated using r too. θ is based on the randomness in the initialization of Γ2 and hence based on r too. So adversary view in this query is deterministic in Viewt−1 (A) and r. If it outputs F low2 , then statℓSS is updated as Ci |S|y|k0 |k1 . By the uniqueness of ℓ∗S , when (S, ℓS ) 6= (S, ℓ∗S ), k1 is computing with r. Hence, the conclusion holds after this query. Send(2, ·) and Send(3, ·) is deterministic in the view of A before the query and its session state. By the induction, the conclusion holds after this query. ℓ∗

ℓ∗

Reveal(i, ℓi ). This query is skiℓi . By the restriction on Test definition, Πiℓi 6= ΠSS , ΠJJ and hence by induction, its internal state is deterministic in Viewt−1 (A) and r, αb . Since skiℓi is in his internal state, the conclusion holds after this query. Corrupt(i). Upon this query πi as well as {statℓi i }ℓi will be available to A. Since i 6= J, S from Test restriction, by induction, the conclusion holds after this query. Test(u, ℓ∗u ). Reply in this query is αb . The conclusion holds trivially after this query. As a summary, after any query, our conclusion holds. Hence, adversary view is independent of b. This concludes the lemma proof.  Lemma 9. Let Qi be ♯ of Send(d, U, ℓU , ·) queries such that i = Client(ΠUℓU ). Then, for any client Qi + negl(κ). Ci , i = 1, · · · , n, Pr[Non-Authi (A, Γ2 )] ≤ |D| Proof. To prove the lemma, we show how to simulate Γ2 such that the whole randomness in the simulation except that for {πi }i is fixed. Let Di be the probability space for πi after each oracle query. That is, for each (π1 , · · · , πn ) ∈ D1 × D2 × · · · × Dn , the adversary view is identical. Hence, given the adversary view, (π1 , · · · , πn ) is uniformly distributed over D1 × · · · × Dn . Initially, the adversary is given hdesc(Λ), α(θ)i which is independent of π1 , · · · , πn . Hence, D1 = · · · = Dn = D. Assume this simulation is done for query t − 1. Consider query t, which is one of the following. Send(0, i, ℓi , null). Simulator takes y ← X, (k0 , k1 ) ← {0, 1}2κ and computes τ0 = MACk0 (Ci |S|y). Finally, update Qn Q = Q ∪ {(i, y, k0 , k1 )}. The adversary view in this query is Ci |y|τ0 . For any n {πj }j=1 ∈ j=1 Dj , the adversary view in the current query is identical. By induction assumption, after this query, if Dj , t = 1, · · · , n remains unchanged, the conclusion holds. statℓi i = Ci |S|y|k0 |k1 .

Send(1, S, ℓS , Ci |y|τ0 ). Upon this, if (i, y, k0 , k1 ) ∈ Q, then (regardless of the concrete value for πi ), the simulator will take (k0 , k1 ) from it and finish the remaining simulation in this query normally and Dt for any t remain unchanged. Otherwise, it will uses θ and πi to verify τ0 normally and announce the success of A if valid and reject otherwise; details follow. 1. τ0 is valid for the case T∗ (πi , y) ∈ L. This case occurs only for at most one πi (denoted by πi (y)) by Regularity Property R-2 of (T, T∗ ). 16

2. τ0 is valid for the case T∗ (πi , y) 6∈ L. This event is a Bad event in Γ2 (see Lemma 5), which occurs negligibly only. Since we already assume this event never occurs after Lemma 5, this case does not exist. As a summery, item 1 occurs (hence πi = πi (y)) with probability Q at most 1/|Di | by induction assumption (since, given Viewt−1 (A), vector {πj }j is uniform in j Dj and especially πi is uniform in Di ); otherwise, for πi ∈ Di \{πi (y)} and πj ∈ Dj (j 6= i), the adversary view in this query is identical: reject. Hence, in this case, Dj for j 6= i remain unchanged, Di = Di \{πi (y)} and statℓSS = Ci |S|y|k0 |k1 is well defined.

Reveal, Test, Send(2, · · · ), Send(3, · · · ) are processed only using session state established in Send(0, ·), Send(1, ·), which is well defined as seen above. Hence, the simulation is perfect.

Corrupt(i). In this case, πi is revealed Qand hence Di is updated to a set of a single value. Since ℓi {stati }ℓi are consistent with all {πj }j ∈ j Dj by induction, it follows that if we keep Dj for j 6= i unchanged, the conclusion still holds. Now we consider Non-Authi event. It occurs at either some Πiℓi or ΠSℓS with pidℓSS = Ci . By Lemma 6, it is impossible to the former. For the latter, by Lemma 7, it must holds that (i, y, ∗, ∗) 6∈ Q in Send(1, S, ℓS , Ci |y|τ0 ) query and hence item 1 (i.e., πi = πi (y)) must occur (since item 2 is negligible and ignored). It remains to calculate the probability πi = πi (y) throughout the game. As analyzed above, it has a probability 1/|Di |, conditional on that previous queries with F low1 = Ci |∗ do not have such an event. Hence, as a summery, πi = πi (y) occurs in the ℓth such a Send(1, S, ·, Ci |· |D|−2 1 1 |·) query with probability |D|−1 |D| · |D|−1 · · · |D|−ℓ−1 = |D| . We claim that there are at most Qi

Send(1, S, ·, Ci |y|·) queries for fixed Ci such that (i, y, ∗, ∗) 6∈ Q with Client(ΠSℓS ) = Ci . Indeed, although at the beginning of theorem proof, we decompose Execute into 4 Send(d, ·) queries, this treatment does not invalidate the above statement: in the special Send(1, S, ℓS , Ci |y|τ0 ) query (decomposed from Execute(i, ℓi , S, ℓS )), (i, y, ∗, ∗) ∈ Q was recorded by Πiℓi in Send(0, i, ℓi , null) Qi (decomposed from the same Execute query). Thus, Pr[Non-Authi (A, Γ2 )] ≤ |D| .  We come back to the proof of theorem. Note that Non-Authi and Succ both are in the view of adversary. Hence, each of them are negligibly close between games Γ0 , Γ1 , Γ2 . By Lemmas 8 and 9, we conclude the theorem proof. 

7

Persistency

In this section, we show that our protocol is persistent against the leakage of server long private key θ. In our analysis, we model MAC as a random oracle. The main motivation for this is that when the attacker sees several MAC values, he should not learn anything about the MAC key beyond his current knowledge. We also need a notion of local 1-uniqueness on tag-PHF below. Definition 4. Hθ : {0, 1}∗ × X → {0, 1}2κ is a tag-PHF and F : D × X → X is a deterministic function. Hθ is locally 1-unique with respect to F if for any PPT adversary A, Pr[∃π1 , π2 ∈ D, π1 6= π2 s.t. Hθ (z, F (π1 , y)) − Hθ (z, F (π2 , y)) = (0, ∗)]

is negligible, where (z, y) ← A(θ, Θ, desc(H), desc(F )).

We now present the idea for the persistency of our framework. We need to show that if the attacker has a computing power of T < αℓ|D| for α < 1/2, then the probability for him to break 17

the authentication w.r.t. ℓ users, is small. Toward this, we simulate Send oracles without using {πi }. An authentication break occurs w.r.t. πi means that either τ1 is accepted at Send(2, i, ℓi , F low2 ) while server S never computes it, or τ2 is accepted at Send(3, S, ℓS , τ2 ) while Ci never computes it. Since τ2 and τ1 are MACs, it follows that the challenger never computes MAC with the corresponding input. To computing a valid τ2 or τ1 , the attacker must guess πi correctly since different πi will give a different MAC value. However, after each Send oracle, only one password dictionary (say, Di for πi ) will be updated (because Send reply leaks information about πi ) and its size is reduced by only one if the password is guessed wrongly; otherwise (with probability 1/|Di |), the size is exactly one. We maps our security game to the Red Ball Experiment in Section 4. A forged τd with respect to Ci in Send(d, ·) for d ≥ 2 is regarded as ball drawing from Box i. The ball is red if and only if τd is valid. Authentication break w.r.t. Ci occurs if and only if τd is valid, which holds if and only if a red ball from Box i is drawn. Hence, adversary success of break authentication of ℓ users occurs if and only if an algorithm draws ℓ red balls in the red ball experiment. By Theorem 1, the probability is exponentially small in ℓ. Now we state the result and give a formal proof. Theorem 3. Let MAC : {0, 1}κ × {0, 1}∗ → {0, 1}κ be a random oracle and Hθ () is locally 1-unique with respect to T∗ . Then, HPS-PAKE is persistent. Proof. We first modify Send(0, ·) oracle such that x ← D(X\L) (instead of D(L)). Since Hθ (z, x) can be computed using θ (known), the revised game can be simulated without difficulty. The adversary can have only negligible difference in breaking authentication in these two games. We hence only need to focus on the revised game. Assuming the randomness r for the whole game except {πi } are fixed, we show how to simulate Send oracle and MAC oracle without first specifying {πi }. We denote Di to be the space for πi , given the current adversary view. We use viewt (A) to denote the adversary view after t queries. Before the game starts, A will receive Θ, desc(Ψ ), θ, which is independent of {πi }. Hence, given view0 (A), D1 = · · · = Dn = D. Assuming the first t − 1 queries are answered. Consider query t, which is one of the following. MAC oracle. Simulator maintains a MAC list L consisting of records (x, MAC(x)). Query m by Simulator. This query always have a format (udef − k0 , Ci |S|y|ρ) for ρ = ǫ (empty string) or ζ|v for v = 1 or 2, where udef − k0 is the random variable k0 determined by the random variable πi (recall we assume the remaining in simulation is fixed). Of course, if Di is a single element {π}, then udef − k0 is determined. Upon this query, it checks it has been queried before. If no, take z ← {0, 1}κ (using random tape r) and add (udef − k0 , Ci |S|y|0), z) into L. In any case, return z for (udef − k0 , Ci |S|y|ρ), z) ∈ L as the reply. Query m by A. Upon query m, if m was queried before, find y such that (m, y) ∈ L and return y. If m was not queried before, do the following. If m can be parsed into a format (u, s) where s = Ci |S|y|ρ and ρ = ǫ (empty string) or ζ|v for v = 1 or 2, then check if there exists π(i, y) ∈ Di (unique if any, by assumption on Hθ ()) s.t. (u, ∗) = Hθ (i, T∗ (π(i, y), y)). If π(i, y) exists, check Q whether πi = π(i, y) (in this case, ‘=’ occurs with probability 1/|Di | since any {πj }j ∈ j Dj gives the same adversary view). If yes, Di = {π(i, y)}; otherwise, set Di = Di \{π(i, y)}. In any case when m was not queried before, take z ← {0, 1}κ (using random tape r) and add (m, z) into a list L and return z. Q Our MAC simulation above has the property that for any {πi } ∈ i Di , MAC oracle is consistent if udef − k0 is set to a real value using {πi }. 18

Send(0, i, ℓi , null). Upon this, take y ← X. Assume there is no query (∗, Ci |S|y) to MAC, which is violated with probability |L|/|X| (tiny and ignored!). Query (udef − k0 , Ci |S|y) to MAC oracle and when receiving the reply z, define τ0 = z. Finally, send Ci |y|τ0 to A.

Send(1, S, ℓS , Ci |y|τ0 ). Upon this, query (udef − k0 , Ci |S|y) to MAC oracle and when receiving the reply z, τ0 is accepted if and only if τ0 = z. If τ0 = z, normally generate F low1 by querying (udef − k0 , Ci |S|y|ζ) to MAC oracle for computing τ1 . Finally send out S|τ1 |ζ. Send(2, i, ℓi , S|y|τ1 |ζ). Upon this, verify τ1 by querying udef − k0 , Ci |S|y|ζ|1) to MAC oracle and if accepted, generate and send out τ1 by querying udef − k0 , Ci |S|y|ζ|2) to MAC oracle.

Send(3, S, ℓS , τ2 ).

Upon this, verify τ2 by query (udef − k0 , Ci |S|y|ζ|2) to MAC oracle.

By the Q definition of MAC, after each query, the adversary view will be consistent with any {πj }j ∈ j Dj . Our simulation is perfect consistent with the real game. An authentication break with respect to Ci occurs in two cases: - In Send(2, i, ℓi , S|y|τ1 |ζ) where τ1 is accepted while (udef − k0 , Ci |S|y|ζ|1) was not queried to MAC oracle by Simulator before this Send query. By treatment of MAC oracle, when |Di | ≥ 2, udef − k0 is a random variable. A never made such a query for (udef − k0 , Ci |S|y|ζ|1) to MAC oracle either. Hence, in this case, τ1 is valid with probability at most 2−κ (negligible and ignored!). Thus, Di = {πi } (a single element). In this case, if (k0 , Ci |S|y|ζ|1) was not queried MAC, then τ1 is valid with probability 2−κ (ignored); otherwise, it must be queried by A and the event πi = π(i, y ∗ ) in some MAC query by A must have occurred in the game (which has a probability 1/|D|i , where Di is the dictionary for πi upon that query). - In Send(3, S, ℓS , τ2 ) with pidℓSS = Ci while (udef−k0 , Ci |S|y|ζ|2) was not queried to MAC oracle by Simulator before. The analysis is similar to the above item. Now we evaluate Pr[Succ(A)]. From the above analysis, authentication breaks occurring w.r.t. ℓ users implies that πi = π(i, y) occurs to ℓ users. Now initializing πi in a different way: πi is set to the Li th value π(i, y) in the MAC query used in checking πi = π(i, y) for Li ← {1, · · · , D} (passwords not used in the equality check are listed alphabetically and hence we still get an entire ordered list of D). This setup of {πi }i is perfectly according to uniform distribution in D n since each π(i, y) in this equality is distinct for fixed i. However, under this formulation, we can map our simulation to red ball experiment: fixed the randomness of the game, except Li ; verifying πi = π(i, y) maps to the ball pickup in box i, where if the equality holds, the picked ball is red; white otherwise. πi = π(i, y) occurring to ℓ users corresponds to picking up ℓ red balls from n boxes. Using one MAC query as one time unit, the corresponding red ball experiment can have at most T times ball drawings since each πi = π(i, y) corresponds to one MAC query by A. Since T ≤ ℓα|D| for α < 1/2, by Theorem 1, Pr[Succ(A) is negligibly bounded by exp(−2n0 (0.5 − α)2 ). 

8

Realization from Cramer-Shoup tag-HPS

In this section, we realize our HPS-PAKE framework using a tag-HPS, which is modified from a hash proof system [26,10] by adding the tag; see below. • Hard Subset Membership Problem Ik . Sample a prime p = 2q + 1 where q is also a large prime. Let G be the prime group of Z∗p of order q. Take g1 , g2 ← G. The set X = {(g1r1 , g2r2 ) | r1 , r2 ∈ Zq }. Language L is defined as L = {(g1r , g2r ) | r ∈ Zq }. The witness for (g1r , g2r ) ∈ L is r. D(L) and D(X\L) are uniform distributions over L and X\L, respectively. Witness set W = Zq . NP-relation 19

R is defined as R = {(r, (u1 , u2 )) | u1 = g1r , u2 = g2r , r ∈ W }. Hence, the description desc(Iκ ) = (g1 , g2 , p). I is a hard subset membership problem by Decisional Diffie-Hellman (DDH) assumption in G. Here DDH assumption states: no polynomial algorithm can distinguish distributions DH and Rand, where DH = (g1 , g2 , g1x , g2x ) for x ← Zq and Rand = (g1 , g2 , g1x , g2y ) for x, y ← Zq .

• Tag-based Projective Hash Function Ψ . Let S = G2 and G = {0, 1}2κ . Let key space K = {(a1 , a2 , b1 , b2 ) | a1 , a2 , b1 , b2 ∈ Zq }. Θ = α(θ) = (Θ1 , Θ2 ) = (g1a1 g2a2 , g1b1 g2b2 ), for θ = (a1 , a2 , b1 , b2 ) ∈ K. Let hλ be a collision resistent hash function from {0, 1}∗ to Zq , indexed by λ ← {0, 1}κ . Let KDF is a key derivation function (e.g., the least half bits of the input) and is not used in the original HPS [26,10]. For (u1 , u2 ) ∈ X and a tag z, define Hθ (z, (u1 , u2 )) = KDF(ua11 +b1 τ ua22 +b2 τ ), where τ = hλ (z, u1 , u2 ). If (u1 , u2 ) = (g1r , g2r ), then Hθ (z, u1 , u2 ) = KDF(ua11 +b1 τ ua22 +b2 τ ) = KDF((g1a1 +b1 τ g2a2 +b2 τ )r ) = KDF((Θ1 Θ2τ )r ). Hence, Ψ is a projective hash function for I and desc(Ψ ) = (g1 , g2 , λ, p). By Lemma 10 below, Ψ is also computational universal2 .

• Regular Transformation Pair (T, T∗ ): For π ∈ D and (u1 , u2 ) ∈ X, we define T(π, (u1 , u2 )) = (u1 , u2 g2π ) and T∗ (π, (u1 , u2 )) = (u1 , u2 g2−π ). Evidently, regularity properties R-0 and R-1 are satisfies. In addition, property R-2 is satisfied as long as no π1 , π2 ∈ D s.t. π1 ≡ π2 (modp), which is evident when D = {1, · · · , N } for N < q. Lemma 10. If hλ is collision-resistant, Ψ is computational universal2 . The proof is similar to [17, Lemma 6.3] and omitted here. Security. Denote the HPS-PAKE framework realized using the above tag-HPS and T, T∗ by HPScs -PAKE. Then from Theorem 2, HPS-PAKE is secure. Persistency. Now we consider the persistency of HPScs -PAKE protocol. By Theorem 3, we only need to show that Hθ (z, x) is locally 1-unique. Before this, we first introduce two facts. Fact 1. If α, U are random variables over A and β, V are random variables over B, then dist[α, U ] ≤ dist[(α, β), (U, V )]. P P roof. dist[α, U ] = 12 Pa∈A | Pr[α P = a] − Pr[U = a]| = 12 Pa∈A |P b∈B (Pr[α = a, β = b] − Pr[U = a, V = b])| ≤ 12 Pa∈A b∈B | Pr[α = a, β = b] − Pr[U = a, V = b]| = 21 (a,b)∈(A,B) | Pr[α = a, β = b] − Pr[U = a, V = b]| = dist[(α, β), (U, V )].  Fact 2. Let α, β be random variables over A and αb be the random variable α given β = b. U is uniformly random over A. Assume dist[αb , U ] ≤ ∆. Then, Pr[α = β] ≤ ∆ + 1/|A|. P P P roof. Pr[α = β] = Pb∈A Pr[α = b, β = b] = b∈A Pr[β = b] Pr[αb = b] ≤ b∈A Pr[β P = b] · (| Pr[αb = b] − Pr[U = b]| + Pr[U = b]) = 1/|A| + Pb∈A Pr[β = b] · | Pr[αb = b] − Pr[U = b]| ≤ 1/|A| + b∈A Pr[β = b] · maxW ⊆B (Pr[αb ∈ W ] − Pr[U ∈ W ]) = 1/|A| + ∆.  Lemma 11. Let dist[KDF(U ), U2κ ] ≤ ∆ for U ← G and U2κ ← {0, 1}2κ . If hλ is a random oracle and N 2 (2−κ + ∆) is negligible, then Hθ () is locally 1-unique with respect to T∗ . 20

Proof. Since θ = (a1 , a2 , b1 , b2 ) is uniform over Z4q , we ignore the probability that a1 a2 b1 b2 = 0. Let (z ∗ , x∗1 , x∗2 ) be the output of A. Let Ω be the set of (z, x1 , x2 ) that has been queried to hλ oracle where z ∈ {0, 1}∗ , x1 , x2 ∈ G. Assume (z ∗ , x∗1 , x∗2 ) break the local 1-uniqueness with ϕ1 , ϕ2 ∈ [N ]. There are two cases. −ϕ

to hλ oracle. In this case, (z ∗ , x∗1 , x∗2 g2 j ) ∈ Case one. (z ∗ , x∗1 , x∗2 g2−ϕi ), i = 1 or 2 was queried  ω (z, x1 , x2 g2 ) | ω ∈ ±[N ] ∪ {0}, (z, x1 , x2 ) ∈ Ω must hold for both j = 1, 2. To bound A’s success in this setting, it suffices to prove that there is no (z, x1 , x2 ) ∈ Ω such that ∃ω1 , ω2 ∈ ±[N ] ∪ {0} s.t. Hθ (z, x1 , x2 g2ω1 )− Hθ (z, x1 , x2 g2ω2 ) = (0, ∗). We now prove this. For distinct ω1 , ω2 ∈ ±[N ]∪ {0} and (z, x1 , x2 ) ∈ Ω, let A = xa11 xa22 g2ω1 a2 · (xb11 xb22 g2b2 ω1 )τ1 and B = xa11 xa22 g2ω2 a2 · (xb11 xb22 g2b2 ω2 )τ2 , where τ1 = hλ (z, x1 , x2 g2ω1 ) and τ2 = hλ (z, x1 , x2 g2ω2 ). Since b2 6= 0 and 2N + 1 < q, either (xb11 xb22 g2b2 ω1 ) or (xb11 xb22 g2b2 ω2 ) has an order of q. W.O.L.G, assume (xb11 xb22 g2ω1 b2 ) has order q. Then, since τ1 and τ2 are independent and uniformly random over Zq , it follows that given B, A is uniformly random over G. Use Ab denote the random variable A given B = b. Then, KDF(Ab ) = (v1 , v2 ). By the property of KDF, dist[(v1 , v2 ), (U1 , U2 )] ≤ ∆ and by Fact 1, dist[v1 , U1 ] ≤ ∆. Let KDF(B) = (v1′ , v2′ ). Then by Fact 2, Pr[v1′ = v1 ] ≤ 2−κ + ∆. Since there are (2N + 1)N possible pairs for (ω1 , ω2 ), v1′ = v1 for fixed (z, x1 , x2 ) and some (ω1 , ω2 ) with probability at most (2N + 1)N (2−κ + ∆). Furthermore, since A has polynomial time bound (say, T ), |Ω| ≤ T. Hence, v1′ = v1 occurs w.r.t. some (z, x1 , x2 ) and ϕ with probability at most T N (2N + 1)(2−κ + ∆), which is negligible since N 2 (2−κ + ∆) is negligible and T is polynomial. Case two. (z ∗ , x∗1 , x∗2 g2−ϕi ), i = 1 and 2 was not queried to hλ oracle. In this case, for i = 1, 2, τ1 = hλ (z ∗ , x∗1 , x2 g2−ϕi ) are uniformly random in {0, 1}2κ and independent of adversary view. Similar to the analysis on A and B in Case one, A’s success in this case is negligible.  Efficiency and Improvement. Client’s computing cost consists of 4 exponentiations, 3 MACs and 1 hλ value (by noticing y = (g1r , g2r+π ) and (k1 , k2 ) is computed with r, neither of them has to first compute x. Hence, the cost for g1π is saved). Server’s computing cost consists of 2 exponentiations (plus 1 exp for g2−π ), 3 MACs and 1 hλ . We can assume the server pre-computes and stores g1−π . If |p| = 1K bit then for 10, 000 users, server needs a storage complexity of only 1.25M Bytes space for this, which is negligible. The cost for MAC and hλ is tiny and ignored. Hence, the cost is 4 exps for client and 2 exps for server. We remark that this cost counting assumes that the server does not need to verify y ∈ G, which could cost two extra exps. However, verifying y ∈ G can be avoided by our recent technique [20], which slightly modifies the protocol while provably preserving its security. We now apply this technique to our protocol. In our setting, r/2 (r+π)/2 ) and instead of sending y = (g1r , g2r+π ) in F low1 , we compute y ′ := (y1′ , y2′ ) := (g1 , g2 y = (y1′ 2 , y ′ 22 ) and replace y in F low1 by y ′ . The remaining specification for Client is unchanged. Correspondingly, a slight change for Server computation is as follows. It first recovers y = (y ′ 21 , y ′ 22 ) from y ′ when receiving F low1 and the remaining specification in Server is unchanged. Denote the modified protocol by HPS∗cs -PAKE. The cost for client and server each increases by 2 squarings, which is tiny. Then, the security of HPScs -PAKE implies the security of HPS∗cs -PAKE. The proof √ uses the fact that for y ∈ G, it holds that y = y (q+1)/2 . The security of HPS∗cs -PAKE is obtained by proving that if there is an adversary A′ against HPS∗cs -PAKE with success probability prob, then there exists an adversary HPScs -PAKE with the same success probability. The setup of these two protocols are the same. So when A receives the setup parameter (desc(Φ), Θ), it forwards to A′ . Upon Send query from A′ , the strategy of A is to forward the query from A′ to his own challenger and relay the reply from the latter back to A′ , except y in F low1 of Send(1, ·) query 21

√ is replaced by y ′ = y. For remaining queries Reveal, Corrupt(i), Test from A′ , A forwards it to his own challenger and replays the reply back to A′ . It is simple to check that the security game simulated by A is according to the real distribution. Finally, A outputs whatever A′ outputs. Note that Non-Authi event or Succ occurs in the simulated game if and only if it occurs in the game A is attacking. It follows that they have the same probability in Non-Authi event and Succ respectively. Details are omitted. Hence, by security and persistency of HPScs -PAKE, we conclude HPS∗cs -PAKE have these properties too.

References 1. M. Bellare, R. Canetti, and H. Krawczyk, A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols, STOC 98: 419-428. 2. M. Bellare, D. Pointcheval, P. Rogaway: Authenticated Key Exchange Secure against Dictionary Attacks. EUROCRYPT 2000: 139-155. 3. M. Bellare, P. Rogaway: Entity Authentication and Key Distribution. CRYPTO 1993: 232-249. 4. Bellovin, S.M.; Merritt, M., Encrypted key exchange: password-based protocols secure against dictionary attacks, In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 72-84. 5. S. M. Bellovin, M. Merritt: Augmented Encrypted Key Exchange: A Password-Based Protocol Secure against Dictionary Attacks and Password File Compromise. ACM Conference on Computer and Communications Security 1993: 244-250. 6. M. K. Boyarsky, Public-key cryptography and password protocols: the multi-user case, Proceedings of the 6th ACM conference on Computer and Communication Security (CCS’99), pages 63-72, 1999. 7. V. Boyko, P. D. MacKenzie, S. Patel: Provably Secure Password-Authenticated Key Exchange Using DiffieHellman. EUROCRYPT 2000: 156-171. 8. R. Canetti and H. Krawczyk, Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, Eurocrypt 2001: 453-474. 9. R. Canetti, S. Halevi, J. Katz, Y. Lindell and P. MacKenzie, Universally Composable Password-Based Key Exchange, EUROCRYPT’05, pages 404-421, 2005. 10. R. Cramer and V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. L. R. Knudsen (Ed.) EUROCRYPT 2002. 11. W. Diffie, P.C. van Oorschot, and M.J. Wiener, Authentication and Authenticated Key Exchanges, Designs, Codes and Cryptography, vol. 2, no. 2, 1992, pp. 107-125. 12. R. Gennaro, Y. Lindell: A Framework for Password-Based Authenticated Key Exchange. EUROCRYPT 2003: 524-543. 13. O. Goldreich, Y. Lindell: Session-Key Generation Using Human Passwords Only. CRYPTO 2001: 408-432. 14. L. Gong, T. Mark, A. Lomas, R. M. Needham, J. H. Saltzer: Protecting Poorly Chosen Secrets from Guessing Attacks. IEEE Journal on Selected Areas in Communications 11(5): 648-656 (1993). 15. S. Halevi, H. Krawczyk, Public-Key Cryptography and Password Protocols. ACM Conference on Computer and Communications Security 1998: 122-131. 16. S. Halevi, H. Krawczyk, Public-Key Cryptography and Password Protocols. ACM Trans. Inf. Syst. Secur., 2(3): 230-268, 1999. 17. D. Hofheinz and E. Kiltz, Secure Hybrid Encryption from Weakened Key Encapsulation. CRYPTO 2007, pages 553-571 18. D. P. Jablon, Extended Password Key Exchange Protocols Immune to Dictionary Attacks. WETICE 1997: 248255. 19. S. Jiang and G. Gong, Password based Key Exchange with Mutual Authentication, SAC 2004. 20. S. Jiang, Y. Chee, S. Ling, H. Wang and C. Xing, A New Framework for Deniable Secure Key Exchange, Preprint. 21. J. Katz, R. Ostrovsky, M. Yung: Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords. EUROCRYPT 2001: 475-494. 22. J. Katz and V. Vaikuntanathan, Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices, ASIACRYPT’09. 23. V. Kolesnikov and C. Rackoff, Key Exchange using Passwords and Long Keys, TCC’06. 24. H. Krawczyk, SIGMA: The ’SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKEProtocols, CRYPTO 2003, pp. 400-425.

22

25. H. Krawczyk, HMQV: A High-Performance Secure Diffie-Hellman Protocol, CRYPTO’05. 26. K. Korosawa and Y. Desmedt, A New Paradigm of Hybrid Encryption Scheme, CRYPTO’04. 27. S. Lucks, Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys. Security Protocols Workshop 1997: 79-90. Available at http://th.informatik.uni-mannheim.de/People/Lucks/papers.html

Appendix A.

Proof of Lemma 1

Proof. Use ℜc to denote ℜ when the challenge bit is c. It suffices to show that Pr[A(ℜ0 ) = 1] = Pr[A(ℜ1 ) = 1] + negl(κ). Let ℜℓ0 denote the variant of ℜ0 , where the first ℓ Challenge queries are answered as in ℜ1 while the remaining such queries are answered as in ℜ0 . Let ♯ of Challenge queries be bounded by N. Then, ℜ00 = ℜ0 and ℜN 0 = ℜ1 . If the lemma is violated by A, then by hybrid argument, there exists ℓ such that | Pr[A(ℜ0ℓ−1 ) = 1] − Pr[A(ℜℓ0 ) = 1]| is non-negligible. ˆ i , i = ℓ − 1, ℓ be the variant of ℜi such that in the ℓth Challenge query, x ← X\L (instead Let ℜ 0 0 of x ← L), where correspondingly Hk (z, x) is computed using k. By reduction to the hardness of ˆ ℓ+1 ) = 1] ˆ ℓ ) = 1] − Pr[A(ℜ ˆ i ) = 1] + negl(κ). Hence, Pr[A(ℜ I, we have Pr[A(ℜi0 ) = 1] = Pr[A(ℜ 0 0 0 is non-negligible. We build an adversary D that uses A to break computationally universal2 of Ψ. ˆ ℓ with it as follows. Upon public key pk = (α(k), desc(Ψ )), D invokes A with pk and simulates ℜ 0 He defines c to his own challenge bit (unknown). w

• ith Challenge Query with z. If i 6= ℓ, take x ← D(L) and compute (a0 , s0 ) = Hk (z, x) using w. The remaining simulation in this query is normal. If i = ℓ, he takes x∗ ← D(X\L) and use (z, x∗ ) as his second pair challenge. He receives and returns (a∗c , s∗c )) to A and updates Θ = Θ ∪ {(z, x∗ , a∗c , s∗c )}. • Compute Query (z, x, σ, m). If (z, x, a′ , s′ ) ∈ Θ for some a′ , s′ , verify σ using a′ ; otherwise, he issues Evalu query to his challenger with (z, x) and in turn receives (a, s). If (a, s) =⊥ (in this case x 6∈ L) or σ 6= MACa (m), he outputs ⊥; otherwise, he outputs (a, s). At the end of game, D outputs whatever A does. ¯ ℓ−c . Then ℜ ¯ ℓ−c is identical to ℜ ˆ ℓ−c , except Denote the simulated game of D with bit c by ℜ 0 0 0 in the case of x 6∈ L in Compute query. In this case, the challenger of D returns (a, s) =⊥ and D ˆ ℓ−c , σ will be verified using a in (a, s) = Hk (x) and (if valid) output will output ⊥ too while in ℜ 0 ˆ ℓ−c differs from ℜ ¯ ℓ−c only when E occurs in ℜ ¯ ℓ−c , (a, s). Denote this inconsistent event by E. Since ℜ 0 0 0 ℓ−c ℓ−c ℓ−c ℓ−c ˆ ) = 1] − Pr[A(ℜ ¯ ) = 1]| ≤ Pr[E(ℜ ¯ )]. We claim that Pr[E(ℜ ¯ )] = negl(κ), c = 0, 1; | Pr[A(ℜ 0 0 0 0 otherwise, computational universal2 of Ψ can be broken by adversary D ′ as follows. W.O.L.G, ¯ ℓ by playing the role of D ¯ ℓ )] is non-negligible. Upon receiving pk, D ′ simulates ℜ assume Pr[E(ℜ 0 0 and the challenger of D, where pk is the public key, except the evaluation of Hk (z, x) is done under his own challenger’s help. Specifically, for the ith Challenge query for i 6= ℓ, he can take x ← L and compute Hk (z, x) with w himself ; For the ℓth Challenge query, he takes x∗ ← X\L and asks his challenger to evaluate Hk (z, x∗ ) as the first challenge; upon a Compute query (z, x, σ, m), he asks his own challenger with (z, x) and in turn he will receive (a, s) =⊥ if x 6∈ L; Hk (z, x) otherwise. ¯ ℓ−c ); in case In case of the former, he records (z, x) in to a list L and reject normally (as in ℜ 0 of the latter, answer the query using the received Hk (z, x) normally. The remaining simulation is ¯ ℓ−c for both cases c = 0 and 1. At the end normal. This simulation is perfectly consistent with ℜ 0 ¯ ℓ , not ℜ ¯ ℓ−1 ), he outputs 0/1 randomly; otherwise, he of game, if c = 1 (since we only consider ℜ 0 0 takes (z ∗ , y ∗ ) randomly from L and ask (z ∗ , y ∗ ) as the second challenge. In turn he will receive (a∗b , s∗b ), where (a∗0 , s∗0 ) = Hk (z ∗ , y ∗ ) or (a1 , s1 ) ← {0, 1}2κ . Then he reviews all the Compute queries with forms (z ∗ , y ∗ , σ, m) for any σ, m and denote event σ = MACa∗b (m) by inc. In case of inc, 23

output 0; otherwise output 1. Note if b = 1, then inc occurs to y ∗ negligibly by ungorgeability of ¯ ℓ occurs to (z ∗ , y ∗ ). Since any E event must occur MAC. If b = 0, then inc event is E event in ℜ 0 ¯ ℓ )]/|L|, to some (z, x) in L, inc occurs in D’s algorithm for b = 0 with probability at least Pr[E(ℜ 0 non-negligible. The non-negligible gap of the two cases implies non-negligible advantage of D ′ , ¯ ℓ−1 ) = 1] is non-negligible. This implies that D has ¯ ℓ ) = 1] − Pr[A(ℜ contradiction. Hence, Pr[A(ℜ 0 0 a non-negligible advantage, contradiction. 

24